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Abstract 


We introduce a calculus for tuplices, which are expressions that 
generalize matrices and vectors. Tuplices have an underlying data 
type for quantities that are taken from a zero-totalized field. We start 
with the core tuplix calculus CTC for entries and tests, which are com- 
bined using conjunctive composition. We define a standard model and 
prove that CTC is relatively complete with respect to it. The core cal- 
culus is extended with operators for choice, information hiding, scalar 
multiplication, clearing and encapsulation. We provide two examples 
of applications; one on incremental financial budgeting, and one on 
modular financial budget design. 


1 Introduction 


In this paper we propose tuplix calculus: a calculus for so-called tuplices, 
which are expressions that generalize matrices and vectors. Tuplices have 
an underlying data type called quantities. We shall require that this data 
type is modeled by a zero-totalized field, in the terminology of [8, 3], as 
will be explained in Section 2. A typical example of a tuplix is a budget, 
a compound of various attributes, each of which possesses a certain value 
(a quantity) and may refer to certain conditions and/or interdependencies. 
Another example of a tuplix is the modeling of let-expressions in functional 
programming. We provide a standard model for tuplix calculus and discuss 
some examples of its use. 
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A tuplix generalizes a vector or a matrix in that it collects a number of 
quantities from the same data type under a number of names (dimensions 
of the vector, matrix entries). What differs in the design of tuplix calcu- 
lus from matrix or vector calculus is that other methods of compositional 
construction are envisaged. Conjunctive composition extends both vector 
(matrix) addition and set union into a novel compositional mechanism. In 
addition, ‘information hiding’ is provided which supports the use of auxil- 
iary values whose name is made externally invisible. In order to provide a 
simple semantic model of this form of information hiding, alternative com- 
position of tuplices is included as well. Alternative composition, written 
x+y denotes a tuplix which is either x or y. Information hiding is modeled 
using generalized alternative composition. A further key feature of tuplix 
calculus is the inclusion of conditions as atomic tuplices; this is done via a 
zero-test operator. Finally an encapsulation mechanism is proposed. En- 
capsulation removes an entry and enforces that it will contain quantity zero 
only. Encapsulation and alternative composition work together exactly as 
in the process algebra ACP [4] from which the typescript has been borrowed 
(see [1] and [10] for more recent expositions of ACP-style process algebra). 

Tuplices constitute a calculus rather than an algebra because informa- 
tion hiding introduces bound variables. The motivation for designing tuplix 
calculus came from a number of attempts to design financial budgets in a 
modular fashion. One might call a tuplix a budget but we prefer not to in- 
troduce that financial connotation by using a mathematically neutral term 
which can be viewed as describing a purely structural notion without any 
preferred application or even application area. We call tuplix calculus an 
abstract data type calculus. It is based on an algebraic abstract data type 
but this is augmented with operators involving bound variables, notably the 
generalized alternative composition operator. 

The design of tuplix calculus is based on zero-totalized fields because 
this drastically simplifies type checking in general and equational logic in 
particular for fields. That zero-totalized fields are meadows, which in gen- 
eral may feature proper zero-divisors as a natural generalization, is of less 
importance to the design of tuplix calculus. 

The paper is structured as follows. Section 2 discusses zero-totalized 
fields. Section 3 introduces the axiom system CTC (Core Tuplix Calculus). 
We define a standard model for the interpretation of tuplices and prove the 
relative completeness of CTC (relative: valid data identities are assumed in 
the proof theory) with respect to this standard model (Section 5). In the 
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next sections, CTC is extended with several operators, starting with alterna- 
tive composition in Section 6, leading to Basic Tuplix Calculus (BTC). Sec- 
tion 7 is an intermezzo containing some observations on the use of zero tests 
(zero-test logic). Section 8 introduces information hiding to BTC through 
the binding of data variables. Section 9 defines three auxiliary operations 
including encapsulation. Sections 10 and 11 present example applications. 
We end with some concluding remarks (Section 12). 


2 Cancellation Meadows 


Quantities will be taken from a non-trivial cancellation meadow, or, equiv- 
alently, from a zero-totalized field, in the terminology of [8, 3]. A zero- 
totalized field is the well-known algebraic structure ‘field’ with a total op- 
erator for division so that the result of division by zero is zero (and, for 
example, in a 47-totalized field one has chosen 47 to represent the result of 
all divisions by zero). 

A meadow is a commutative ring with unit equipped with a total unary 
operation (_)~' named inverse that satisfies the axioms 


(u)-t=u and u-(u-u 4) =u, 


and in which 0~! = 0. For quantities (and tuplix calculus) we also require 
the cancellation axiom 


u#40 & uwrv=u-w > v=w 


to hold, thus obtaining cancellation meadows, which we take as the math- 
ematical structure for quantities, requiring further that 0 4 1 to exclude 
(trivial) one-point models. These axioms for cancellation meadows charac- 
terize exactly the equational theory of zero-totalized fields [3]. The property 
of cancellation meadows that is exploited in the tuplix calculus is that di- 
vision by zero yields zero, while u-u~' = 1 for u 4 0. 

For the tuplix calculus, we define a data type (signature and axioms) 
for quantities which comprises the constants 0, 1, the binary operators + 
and -, and the unary operators — and (_)~!. We often write u— v instead 
of u+(—v), u/v instead of u-v—!, and wv instead of u-v, and we shall omit 
brackets if no confusion can arise following the usual binding conventions. 
Finally, we use numerals in the common way (2 abbreviates 1 + 1, etc.). 
The axiomatization consists of the cancellation axiom 


uZ#40 & u-v=u-w > v=uv, 


37 


the separation axiom 
0-1, 


and the following 10 axioms for meadows (see [3]): 


(utv)+w=ut+(v+u), 
UtV=U+tU. 
u+t0=u, 

u+(—u) = 0, 
(u-v)-w=u-(v-w), 
U-V=U-U, 

1l-u=u, 
u:-(u+w)=u-vt+u-u, 
(u")* =u, 


u-(u:ut)=u. 


The following identities are derivable from the axioms for meadows 
(see [3]). 


(0) " =0 
(uy! = —(w") 
Gwe tag a 

0-w=0 
u:—v = —(u-v) 


Furthermore, the cancellation axiom and axiom u- (u-u—') = u imply the 
general inverse law 
u#0 => uwl=l1 


of zero-totalized fields. 


3 Core Tuplix Calculus 


Tuplix calculus builds on the data type defined in Section 2 which specifies 
non-trivial cancellation meadows. We use the letters u, v and w as data 
variables, and the letters p and q to range over (open) data terms. 
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We start with a core calculus which can be extended with several op- 
erators (as is done in later sections). The theory is parametrized with a 
nonempty set A of attributes, ranged over by a and b. We further assume 
given a countably-enumerable set of tuplix variables, ranged over by x, y and 
z. We introduce the signature for tuplices. We have constants ¢ (the empty 
tuplix) and 6 (the null tuplix); the variables are tuplix terms; and there are 
two further kinds of atomic tuplices: entries (attribute-value pairs) of the 
form 

a(p) 


with a € A, and p a data term, and, for any data term p, the zero test 


1(p) 


(y g A). Finally, the core theory has one binary infix operator: the conjunc- 
tive composition operator ©. This operator is commutative and associative. 


Axioms: 

rOy=yOr (T1) 

(xOy)Oz=zr#O0(yOz) (T2) 

xrOe=zx (T3) 

LrOo= (T4) 

a(u) O a(v) = a(ut v) (T5) 

y(u) = y(u/u) (T6) 

7(0) =e (T7) 

yl) = 6 (T8) 


In this core calculus, a tuplix is a conjunctive composition of tests 
and entries, with ¢ representing an empty tuplix, and 6 representing an 
erroneous situation which nullifies the entire composition. Entries with the 
same attribute can be combined to a single entry containing the sum of the 
quantities involved (axiom T5). 

A zero test y(p) acts as a conditional: if the argument p equals zero, 
then the test is void and disappears from conjunctive compositions. If the 
argument is not equal to zero, the test nullifies any conjunctive composition 
containing it. Observe how we exploit the property of zero-totalized fields 
that p/p is always defined, and that the division p/p yields zero if p equals 
zero, and 1 otherwise. Further observe that an equality test p = gq can be 
expressed as 7(p — q). 
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A tuplix term is closed if it is does not contain tuplix variables and also 
does not contain data variables. A tuplix term is tuplix-closed if it does not 
contain tuplix variables (but it may contain data variables). For reasoning 
about tuplices with open data terms, we add the following two axioms: 


yu) O y(v) = y(u/u + v/v) (T9) 
yu — v) Da(u) = y(u— v) O a(v) (T10) 


The tuplix calculus is two-sorted. On the tuplix side we have the axioms 
T1-T10 and we use the proof rules of equational logic. On the data side, 
we refrain from giving a precise proof theory. We adopt the following rule 
to lift the valid data identities to the tuplix calculus: for all (open) data 
terms p and q, 

DEp=q implies 7(p) = (9), (DE) 
where D (a non-trivial cancellation meadow) is our model of the data type. 


This axiom system with axioms T1—T10 plus proof rule DE is denoted by 
CTC (Core Tuplix Calculus). 


4 Canonical Terms and Derived Proof Rules 


A CTC canonical term is a term of the form 


(po) D ai(p1) D- ++ O ag(pe) OT1 O--- OX, 
for some k,l > 0, and with distinct attributes a; fori =1,...,k. 
Lemma 1. Every CTC term is derivably equal to a CTC canonical term. 


Proof. Easy: If it contains the constant 6, the term equals the canonical 
term 7(1) (using axioms T4 and T8); conjunctive composition is commu- 
tative and associative; the « constant disappears (axiom T3); entries with 
same attribute are combined using axiom T5; tests are combined using ax- 
iom T9 (and if there are no tests, we add a void 7(0) test using axiom 
T7). 


The axiom system CTC is powerful enough for our purposes, as is wit- 
nessed by the completeness result in Section 5. Still, more general proof 
rules for the derivation of identities involving data equalities and substi- 
tution of data terms can be convenient. For example, we find that CTC 
derives the “obvious” identity 


a(u+v) = a(u+u) 
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rather indirectly: because (u + v) — (v+u) = 0 will be valid in our data 
model, we have 


y((u t+ v) — (vu +u)) = (0) 
by DE. Then we derive 
a(u+v) = aut v)O7((ut v) — (v+u)) = alu + wu) 


using axioms T3, T7, and T10. 
The following proof rule generalizes DE: 


DE p=q implies ¢[p/u] = t[q/ul, (DE*) 


for tuplix terms t and with substitution t[p/u] defined as usual for two- 
sorted equational logic (replacement of all data variables u in t by p). The 
following axiom scheme generalizes axiom T10: 


tO y(u— p) = t[p/u] Oy(u—p), (T10*) 


where ¢ ranges over tuplix terms. 
These two rules follow from CTC as we shall now prove. We start with 
two lemmas. 


Lemma 2. For all data terms p and q, 
DE (1-p/p)-q=0 implies CTC 7(p) = 7(p) © y(q). 


Proof. Assume that D — (1 — p/p)-q = 0. Observe that it follows that 


p/p = (p/p + q/q)/(p/p + 4/4) 


is a valid identity (check: distinguish cases p = 0 and p # 0). From this, 
derive 


(p/p) 
= 1((p/p + 4/4)/(p/p + 4/4) 
y(p) © ¥(4) 


1(p) 


using DE and axioms T6 and T9. 


Note that a test y((1— p/p) -q) may be read as the logical implication 
‘p = 0 implies g = 0’, see also Section 7. 
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Lemma 3. The following identity is derivable in CTC. 


yu) O(u—v) = 7(v) Oy(u— v) 
Proof. Observe that 
ujut(u—v)/(u—v) e 
(ae) 


(‘if uw = 0 and u = v, then v = 0’) is valid in any cancellation meadow. 
Derive 


y(u) Oy(u— v) = y(u/u+t (u—v)/(u— v)) 
= y(u/ut (u—v)/(u—v)) O yu) 
= 7(u) D y(u— v) © x(v) 


using Lemma 2 and axiom T9. The remaining part of the derivation is 
symmetrical. 


We are now ready to derive the two rules. 
e Case DET. Assume that D / p = q, and let t be a canonical term 


(po) © a1(p1) O-++ O ag(pe) O21 O--- OX, 


for some k,/ > 0. First observe that it follows from D — p = q that 


DF pilp/ul = pilg/u] and DE pilp/ul — pilg/u| = 0 
fori =0,...,k. From this and DE we derive that 
¥(polp/u]) = y(po[a/u]) 


and 


ai(pilp/u]) = ai(pilp/u]) O y(0) 
= aj(pi)[p/u] O y(pilp/u] — pilg/u)), 


so we can apply the required substitutions in the entries using axiom 
T10. 
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e Case T10*. Let t be a canonical term 


(po) © a1(p1) O-+- O ag(pe) O21 O--- OX, 


for some k,! > 0. Observe that for i =0,...,k, 


DE (1- (u—p)/(u— p)) - (pi — pilp/u)). 


Therefore we have by Lemma 2 that 


y(u— p) = y(u— p) O y(pi — Pilp/u)) 


so that we can perform the substitutions in the entries using ax- 
iom T10, and in the test 7(po) using Lemma 3. 


5 Standard Model and Relative Completeness 


We interpret tuplix terms in the standard model M(D, A), where D is the 
model of the data type for quantities, and A is the set of attributes that 
are used. The data model D is required to be a non-trivial cancellation 
meadow. We write D for the domain of D, and 0 for the element of D that 
is the interpretation of the data term 0. 

The standard model is based on the set 


F=AD 


of partial functions from A to D which are used to model the entries (the 
attribute-value pairs). The domain for the standard model is the power set 


oF 


of the set of partial functions. An element of this power set stands for a 
number of alternatives: for CTC, the interpretation of tuplix terms yields 
either the empty set (the interpretation of 6; absence of alternatives) or 
a singleton set. When we add choice to the theory (see Section 6), the 
interpretation may yield sets with more than one element. 

Some preliminaries: 


1. Fora € A, d € D, let fa be the partial function with faa(a) = d, 
and faa(b) undefined for b ¥ a. 
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2. We denote by f- the function in F’ with f(a) undefined for all at- 
tributes a € A; this function will be used in the interpretation of the 
term é. 


3. Define conjunctive composition @ on elements of F' as follows: for 
a € A, if both f and g are undefined for a, then (f © g) is undefined 
for a; if f(a) is defined and g is not defined for a, then (f ® g)(a) = 
(g © f)(a) = f(a); and if both f and g are defined for a, then (f © 
g)(a) = f(a) + g(a). 


The closed terms of CTC are interpreted in the standard model as 
follows. 


[5] = 0 
[el = {fe} 

a(p)I = {fasta} 

ate if [p] =0 


[6] otherwise 


sot]l={fog| f els], 9 € [} 


We say that closed terms s and t are equivalent with respect to the 
standard model if [s] = [¢]. Two open terms are equivalent, notation s ~ t, 
if all their closed instantiations are pair-wise equivalent. The axiom system 
CTC is sound with respect to the standard model, i.e., for all (open) tuplix 
terms s and t, CTC + s =t implies s ~ ft. 


Theorem 1. The axiom system CTC is complete with respect to the stan- 
dard model, i.e., for all (open) terms s andt, s~t implies CTCF s=t. 


This completeness is relative in the sense that our proof theory assumes, 
by adoption of rule DE, all valid data identities. 


Proof. Suppose s ~ t. Using Lemma, 1 we know that s and t are derivably 
equal to canonical terms 


s' = 7(po) D ay(p1) O-+- Dag(pe) O21 O° Oy 


and 


t' = ¥(qo) OD a1(qi) D- +: Dag(qu) O21 O--: Oxy 
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with k,! > 0. Observe that it follows from s ~ ¢ that we can find canonical 
terms having the same tuplix variables x; and (mutually distinct) attributes 
aj. 

It also follows from s ~ t, that whenever the test 7(po) succeeds, also 
the test (qo) succeeds, and vice versa. Therefore, the cancellation meadow 
identity po/po = qo/gdo must be valid. It follows that 


7(Po) = (4) 


is derivable using axiom T6 and DE. 

It further follows from s ~ t, that whenever the test y(po), and hence 
also (qo), succeeds, then it must be that pj = q fori = 1,...,k. A 
consequence is that the cancellation meadow identity 


(1 — po/po) (pi — i) = 0 
is valid (check: straightforward case distinction on po). Using Lemma 2 we 
find that 
Y(Po) = Y(Po) O (pi — 4%). 


Because we also have ¥(po) = y(qo) it is easy to see that s’ = t’ is derivable 
using axiom T10. 


6 Basic Tuplix Calculus 


The axiom system CTC is extended to Basic Tuplix Calculus (BTC), by 
addition of the binary operator + called alternative composition or choice 
to the signature, and by adoption of the following axioms. 


EEY= YTS (C1) 
(g+y)+z2=2+(yt+z) (C2) 
rt+nr=2 (C3) 
rt+o0=2 (C4) 
xO(y+z)=(rx#Oy)+(#Oz) (C5) 
y(u) + y(v) = y(ur) (C6) 


Because choice is an associative operator, we shall often omit brackets in 
repeated applications. 
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The standard model M(D, A) for CTC is extended to BTC by the 


following interpretation of alternative composition: 
[s+¢] = [s] Uf. 


So, the interpretation of a closed term yields a set of alternatives. Note that 
6 is a zero element for alternative composition: it stands for the absence 
of alternatives (recall that [6] = 0). The axioms C1—C6 are sound with 
respect to the standard model. 

As for CTC, completeness results are relative because, by adoption of 
proof rule DE, valid data identities may be used in derivations. The axiom 
system BTC is complete for closed (no data variables, no tuplix variables) 
terms. In the proof we use canonical terms: a BTC canonical term is an 
alternative composition 

ty +-:++ + te 


of CTC canonical terms for some k > 0 (in case k = 0, this term is defined 
as 0). Clearly, we can derive such a canonical term for every BTC term by 
pushing + outward using axiom C5. 


Theorem 2. For closed terms, BTC is complete with respect to the standard 
model, i.e., for closed terms s andt, s~t implies BTC} s =t. 


Proof. Take closed terms s and t with s ~ t. We may assume for s and t 
that there are respective canonical terms 


Sspt+---+s, and t)4+---4+1; 


such that [[s;] and [¢,] are singleton sets fori = 1,...,k and j = 1,...,1. 
Since [s] = [t], it is clear that for every s; there is a t; such that s; ~ t;, 
and vice versa. By completeness of CTC these are derivably equal. Then, 
s =t can be derived using axioms C1—C4. 


Completeness for open terms (which we did prove for CTC) appears to 
be more involved. We leave this open for future work. 


7 Zero-Test Logic 


We have seen how the zero-test operator y(p) tests the equality p = 0. Using 
axioms T6 and DB, it is easy to derive the following identities, which we 
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shall often use implicitly in derivations: 


y(—u), 
y(u) = y(u/n), 
y(n , u), 


where n ranges over all non-zero numerals. 

We present some observations on the use of the zero-test operator which 
lead to a simple logic. 

First, the empty tuplix ¢ with « = 7(0) by axiom T7 may be read as 
‘true’, and the null tuplix 6 with 6 = (1) by axiom T8 may be read as 
‘false’. 

Negation. Define the test ‘not p = 0’ by 


~ def 


Y(p) = (1 — p/p). 
Conjunctive composition of tests may be read as logical conjunction: 


v(p) © (4) ‘= (p/p + 4/9) 


tests ‘p= 0 and q=0’. 
Alternative composition of tests may be read as logical disjunction: 


v(p) + (q) ‘= (pq) 


tests ‘p= 0 or q=0’. 

A formula would then be a tuplix-closed (no tuplix variables) BTC 
term without entries. Any formula can be expressed as a single test 7(p) 
using axioms T7—T9 and C6, and the definition of negation. Let y range 
over formulas, and write ¢ for the negation of y. 

We find that this logic has all the usual properties. Clearly, conjunc- 
tion and disjunction are commutative, associative, and idempotent, and 
it is not difficult to derive distributivity, absorption, and double negation 
elimination. The following identities are easily derived as well: 


p+P=eE, (1) 
yOdp=s, (2) 
pre=eé, (3) 
poo=d. (4) 
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As usual, implication can be defined in terms of negation and disjunction: 


Y(p) + (gq) = (C1 — p/p) - 4) 
tests ‘p = 0 implies g = 0’. 


Note. If the absolute operator |_| (with |p| = p if p > 0, and |p| = —p 
otherwise) is added to the signature of the data type, we can also express 
inequalities: 

v(lq— pl = 9 —p) 


expresses the test p < q. 


We do not further use zero-test logic (apart from the notation ¥(p), 
which obviously can be avoided), we only presented this logic to emphasize 
some structural properties of the tuplix calculus. 


8 Generalized Alternative Composition 


The generalized alternative composition (or: summation) operator >>,, is 
a unary operator that binds data variable u and can be seen as a data- 
parametric generalization of the alternative composition operator +. We 
add this binder to the signature of BTC and write FV(t) for the set of free 
data variables occurring in tuplix term t. We write Var(p) for the set of 
data variables occurring in data term p (there is no variable binding within 
data terms). Define substitution t[p/u] as: replace every free occurrence of 
data variable u in tuplix term t by the data term p, such that no variables 


of p become bound in these replacements. E.g., recall the proof rule T107: 


tO y(u— p) =t[p/u] O y(u— p). 


This rule remains sound in the setting with summation, but application of 
the rule may require the renaming of bound variables in t using axiom S82, 
see below, so that the substitution can be performed. When considering 
substitutions we shall implicitly assume that bound variables are renamed 
properly. 

The axiom schemes for 5°, are as follows, where s and t range over 
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tuplix terms and p ranges over data terms. 


eat ifu Z FV(t) (S1) 
era if v ¢ FV(t) (S2) 

>, (s Ot) =s Odo, t if u Z FV(s) (S3) 
Duls +) = ius + Vat (S4) 
Duylu—p) =e if u ¢ Var(p) (S5) 
uv(u—p) =e if u ¢ Var(p) (S6) 


(Recall from Section 7 that ¥(p) is defined as (1 — p/p).) 
The standard model for BTC is extended with the following interpre- 
tation of summation: 


[>t] = {[¢[p/u]] | p a closed data term}. 


The axiom schemes S1—S6 are sound with respect to this model. 


Note. A similar summation operator (binding of data variables that gener- 
alizes alternative composition) is part of the specification language wCRL [12], 
which combines the process algebra ACP [4] with equationally specified ab- 
stract data types. A detailed exposition of a semantics and proof theory for 
this ‘choice quantification’ in the setting of process algebra can be found in 
the work of Luttik [13]. A corresponding treatment is possible in our case. 


Lemma 4. The following identities are derivable for all data terms p with 
u € Var(p). 


Proof. Derivation of (5): 
deult O y(u— p)) = L,(lp/u] O y(u — p)) 

= t[p/u] O D1, 7(u — p) 
= t[p/ul 

using T10*, $3 and $5. Derivation of (6): 

Dut = L(t O y(u— p)) + V(t O Yu — p)) 
= t[p/ul a5 Dut. 
using T3, (1), $4, C3, and (5). Derivation of (7): similar. 
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Example. We derive 
du(a(u) O y(u? — 1)) = a(-1) + a(1). 

Proof: from 

yu? — 1) = y((ut+ Du- 1) =7u+1)4+7(u-1) 
it follows that 
du(a(u) © y(u? — 1)) = Vi, (a(u) © (ut 1)) + X,(a(u) © y(u— 1) 
a(—1) + a(1) 
using (5). 


Example. Let-expressions or let-bindings allow value declarations or par- 
tial bindings in expressions. The term 


ult O y(u — p)) 


characterizes 
let u= pint. 


Of course, p may contain variables, as for instance ‘let u = 7v +1 in @’ can 
simply be expressed as 


y(t O y(u — Tv — 1)). 


9 Auxiliary Operators 


For BTC with summation, we define three auxiliary operators: scalar mul- 
tiplication, clearing, and encapsulation. In each case the axioms for choice 
and summation (numbered 6 and 7) can be omitted, for inclusion in axiom 
system CTC or BTC. 
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9.1 Scalar Multiplication 


Scalar multiplication p-t multiplies the quantities contained in entries in 
tuplix term t by p. It is specified by means of the following axioms. 


(Scl) 

(Sc2) 

(Sc3) 
u-a(v) = a(u-v) (Sc4) 
u:(xOy)=u-xQu-y (Sc) 
u-(~+y)=u-xtu-y (Sc6) 
pe =D Pee) if v ¢ Var(p) (Sc7) 


Axiom Sc7 is an axiom scheme with p ranging over data terms and t rang- 
ing over tuplix terms. An example with scalar multiplication is given in 
Section 10. 


Standard Model. Take the standard model M(D, A) as before (see Sec- 
tion 5). For partial function f € F and value d € D, define the scalar 
multiplication d- f as expected: (d- f)(a) = d-(f(a)) if f(a) is defined, and 
undefined otherwise. The interpretation of scalar multiplication is defined 
by 

[p-t] = {el - f | f € [eh 


9.2 Clearing 


For set of attributes J C A, the operator 


E17 (x) 
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renames all entries of x with attribute in J to e. It “clears” the attributes 
contained in J. Axioms: 


ey(€) =€ (Cll) 
er(6) =6 (C12) 
er(y(u)) = yu) (CI3) 
ali))= is A < 
er(x Oy) = €r(x) O erly) (Cl5) 
er(x + y) = €x(x) + Er(y) (C6) 


Er(iut) = Va ler()) (Cl7) 
For a set of attributes B C A one can think of a function 
Selectp(x) = E4\B(2). 


This function allows to focus on those entries with attribute contained in 
B. 


Standard Model. Take the standard model M(D, A) as before (see Sec- 
tion 5). Define the function ¢; on elements of F' as follows. For partial 
function f € F and attribute a € A, if f(a) is undefined or a € J, then 
€1(f)(a) is undefined, else ¢7(f)(a) = f(a). The interpretation of clearing: 


[er] = {er(f) | f € El}. 


9.3. Encapsulation 


Encapsulation can be seen as ‘conditional clearing’. For set of attributes 
H C A, the operator Oy(x) encapsulates all entries in x with attribute 
a€ H. That is, for a € H, if the accumulation of quantities in entries with 
attribute a equals zero, the encapsulation on a is considered successful and 
the a-entries are cleared (become ¢); if the accumulation is not equal to zero, 
they become null (6). This accumulation of quantities is computed per alter- 
native: the encapsulation operator distributes over alternative composition. 
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Axioms: 


On(e) =e (El) 
d4(5) =6 (E2) 
Ou(y(u)) = y(u) (E3) 

y(u) ifae H 
On (a(u)) = ee ifa ¢ H Ce 
On (x © On(y)) = On(x) O On(y) (E5) 
On(x + y) = On(x) + On(y) (E6) 


We further define 
Onun (x) = On 0 Op(2). 


Standard Model. Take the standard model M(D, A) as before. We say 
that a partial function f in F is neutral on attribute a, if either f(a) is 
undefined or f(a) = 0. We interpret encapsulation as follows. 


[dn (t)] = fex(f) | f € [¢], f neutral on all a € H}, 


where ey is as defined in Section 9.2. 


9.4 On the Derivation of Encapsulations 


By the derivation of an encapsulation we mean the elimination of the encap- 
sulation operator by application of its defining axioms from left to right. Of 
course, this elimination is in general only possible for tuplix-closed terms. 
We present some helpful identities and example derivations. 

We start with a lemma. 


Lemma 5. For all tupliz-closed terms t, if no element of set of attributes 
HT occurs in t, then 


and, for any term s, 


are derivable. 
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Proof. The first identity is easy, using structural induction on term t. Then, 
the second one follows using axiom E5: 


On(s Ot) = On(s O On(t)) = On(s) O On(t) = On(s) Ot 


When deriving an encapsulation, we generally split the encapsulation 
up: for a € H, we have by definition that 


On(t) = On\ {a} © Maz (4), 


and we start with O;,(t). Observe that encapsulation distributes over (gen- 
eralized) alternative composition, so we can push it inward until we reach an 
conjunctive composition in which we assume that the a-entries have been ac- 
cumulated into a single entry using axiom T5. So this yields an application 
of the form 


Dray (a(p) Ot’) 
where a does not occur in t’, so using Lemma 5, this is equal to 
y(p) Ot’. 
Example: 
4p} (a(—3) O (1) © (2) O B(—3) O c(3)) = Ago} (0(0) O a(—3) O e(3)) 
= 014}(b(0)) © a(—3) © e(3) 
) 


= 7(0) © a(—3) 0 e(3 
= a(—3) O c(3). 


Another example: 
Ofa,6} (a(0) O b(0)) = gaz © Agu} (a(0) OD B(0)) = Ofaz(a(O)) = e. 


In applications that use information hiding (summation), we typically 
encounter encapsulations like this one: 


Ifa} (4(2) © D2,,(a(—u) O b(u/2) O c(u/2))) = b(1) O (1), 


where instantiation of the hidden variable u is enforced by the encapsulation. 
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Let’s see how to derive such encapsulations. First, we have, for data 
term p with u ¢ Var(p), and tuplix-closed term t that does not contain a, 


a(p) D >7,,(a(q) Ot) = >7,,(a(p + g) Ot). 


Then we easily find that 


Ota} (a(p) O 2, (a(g) Ot)) = Duly + @) © t) 


using Lemma 5. In the particular case that q = —u we find 


ta} (a(p) O D1,(a(—u) © t)) = t[p/u] 
using (5). Another example: 
fa}(a(—6) © D7,,(a(2u) O t)) = D7, (7(2u — 6) Ot) 
= Viuly(u— 3) Ot) 
= 71370. 


In the next example, the instantiation is determined within the sum- 
mation: 


Ita} Diy(a(u + 1) © 6(—u/2))) = Dauly(u t+ 1) O b(-u/2)) 
b(1/2). 


In a similar way, one can reduce 
Ita} (do, (a(—u) O b(u/2) O e(—u/2) @ a(200) © b(—50) © c(—150))) 


to 
b(50) © c(—250). 


10 Example: Incremental Budgeting 


A financial budget is modeled as a tuplix. We let an entry a(p) represent a 
payment: the attribute a is used in the communication between payer and 
payee, and describes or identifies a transaction; we also refer to the attribute 
as the channel of the transaction, and say that the payment occurs along 
the channel. The term p represents the amount of money involved. An entry 
a(p) with p > 0 stands for an obligation to pay amount p along channel a. 
If p < 0, the entry stands for the expected receipt of amount p along a. 
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In the following example we consider some annual budgets. In order 
to simplify descriptions it is assumed that various payments are due twice 
per year only, during periods A and B. Attributes of the form aa and ag 
are used in the specification of payments during these respective periods. 
Examples with monthly, weekly or daily payments can be given in a similar 
fashion. 

Consider a budget Baoog containing the financial results of some entity 
in year 2006. E.g., take 


Booog = aa(30) oO ap(30) oO ba (20) oO bp(25) oO ca(—107). 


On the basis of this realized budget, an allocated budget for 2007 covering 
corresponding entries could be specified as, e.g., 


Boo07 = a4 (32) O ap(32) © ba(21) O bp(28) O ca(—116). 


Assuming that a 2008 budget is to be determined without having 2007 
realization figures available, several ways to adapt the 2007 budget to a 
2008 budget can be imagined. The widespread (and well-documented, see, 
e.g., [14]) strategy of incremental budgeting implies that the 2007 budget 
is taken as the point of departure for designing a 2008 budget. For 2008 
one may consider two possible budgets: an ad hoc increase of each entry, 
leading to something like 


Booog = a(33) © ap(33) © ba(22) O bp(30) © ca(—123), 


or, alternatively, 
Bagog = (1 + (i/100)) - Boooz 


which adjusts each 2007 entry with the same inflation percentage 7. 
Yet another option for a 2008 budget is to adjust the 2006 realization 
Booog with inflation twice. This yields 


Byoos = (1 + (¢/100))? - Baoos. 
Still another option for the definition of a 2008 budget is the average 
Byoos = (1/2) - (Baoos © Boos) 


of the latter two budgets. 
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11 Example: Modular Budget Design 


Modular financial budget design is a necessity in large organizations, as- 
suming that budgets are at all used, i.e., that ‘beyond budgeting’ [2] is not 
(yet) the dominant strategy for financial planning. Financial budgets are 
probably the most complex budgets around which calls for modularity. Sur- 
prisingly, however, we have not been able to find any literature about the 
subject of formalized modular budget design. In the example of this section 
we will outline how tuplix calculus can support modular budget descriptions 
in a meaningful way. The example is presented in abstract terms but its 
origin is practical. 

We consider an organization that consists of the following constituents:? 


e Part S is a financial source which correlates with production figures. 


e Part C is a control group that dispatches the incoming financial stream 
to the production units and the service center SC. 


e Parts PU; and PU are production units. These units produce the 
same two types of products (type 1 and type 2). 


e Part SC is a shared service center providing services needed by the 
production units. 


e Part CAP is a capacity group from which both production units draw 
manpower. 


Streams of money between these parts run as depicted in this figure: 


142 ee eg 
§ > en . CAP 
| PU, J82,882 
SC 


The labels (a1, a2, etc.) on the arrows in this picture are attribute names 
that will be used in the specification of payments. 


?In the practical case behind the example, S is a university division, C represents 
a graduate school, the PUs represent different master programs, SC provides various 
forms of support ranging from student counseling to timetabling, and CAP represents a 
department from which educational staff will be used. 
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The financial source rewards the production by the production units: 
for each product that is produced, a constant reward (depending on the 
type of the product) is allocated to the control group C. The control group 
will dispatch the rewards for both product types to the production units 
and to the service center. The production units receive money from C, and 
pay money to the capacity group in return of junior staff capacity as well 
as senior staff capacity. 

We specify budgets for the parts S$, C, PU; and PU2, and we will ex- 
amine how to compose one joint budget B from these. All budgets involved 
specify the same period of time (e.g., the calendar year 2008). We take a 
stepwise approach and specify the budgets in two phases taking increasingly 
more aspects into account. In the first stage, both production units obtain 
an equal reward, independent of their contribution to the total production. 
The budgets are defined as follows. 


e The financial source S rewards production: for each product of type i 
that is produced (i = 1,2), a constant reward reward; is allocated to 
the control unit C. For production unit PU; and product type j, the 
data variable 

nj 
stands for the number of products of type 7 produced by PU; during 
the period that is covered. 


The budget: 


Bg © ay (reward, - (m1, + n21)) O a2(rewardy - (nz + n22)) 


e The control unit C receives the rewards from the financial source. The 
amount paid to the service center SC is a fraction k (a value between 0 
and 1) of the incoming stream, independently of the use that is made 
of it. It further pays each production unit half of the reward total. 
(Observe that, unless k = 0, this budget is not balanced: the expenses 
are higher than the income.) 


Be 
a,(—u) O ag(—v) O 
c(k-(u+v))® 
bi((u+ v)/2) O be((u + v)/2)) 
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e Budgets for the production units: 


Bpu, = D,,(b1(—u) O Jsy(u/2) © 1(u/2)) 


Bpuz = di,(b2(—u) O jso(u/2) O ss2(u/2)) 


In this first version the production units obtain an equal amount of 
funding, which is spent in equal parts on senior staff (via ss1 and ss2) 
and on junior staff (via js, and js,). 


The combined budget: 


def 


a Of a4,02,b1,b2} (Bs © Bo O Bpy, O Bpw,). 
We find 


Be yak 
y(u — reward, - (ny, + na1) — reward2 - (m2 + n22)) O 
c(k + u) © js; (u/4) © ss1(u/4) O jso(u/4) O ss2(u/4)). 


A straightforward derivation of this identity leads to a closed term without 
summation; in the expression above we have introduced a ‘let-binding’ (see 
the example in Section 8) with variable u to improve the readability. 

In the second stage of the budget, we take into account that the pro- 
duction units need funding proportional to their production volume, and 
may spend their resources on senior staff capacity and junior staff capacity 
in different proportions. Moreover, the control unit also charges the pro- 
duction units for the costs of the services provided by SC. This leads to the 
following refinement of the budgets: 


Be = Dok 
a1(—u) © a2(—v) O 
k-c(ut+v)O 
(1 —k) - (bi ((mii/(ma + 121) 
bo((na1/(n11 i n21) n22/(M12 = n2))v))) 
Bpu, = do, (b1(—u) O jsy((1/4)u) © 881 ((3/4)u)) 
Bpu, = Y),,(b2(—u) O jso((1/3)u) © ss2((2/3)u)) 


m2/(mi2 + n22))v) O 


ju + ( 
jut ( 


Additional phases that take more aspects into account can be easily 
imagined. For instance both production units may be given a fixed amount 
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of funding independent of production volume and the remaining funding 
spread in proportion with production volume. That distribution strategy 
for C allows one unit to proceed when its production is low thus awaiting a 
next phase with better circumstances. 


12 Conclusion 


We have introduced a calculus for tuplices. It has an underlying data type 
called quantities which is required to be modeled by a zero-totalized field. 
We started with the core tuplix calculus CTC for entries and tests, which 
are combined using conjunctive composition. We defined a standard model 
and proved that CTC is relatively complete with respect to it. We further 
defined operators for choice, information hiding, scalar multiplication, clear- 
ing and encapsulation. We ended with two examples of applications; one 
on incremental financial budgeting, and one on modular financial budget 
design. 

We refer to [6] for a discussion on the formalization of financial budgets. 
It also contains a more elaborate application of the tuplix calculus in the 
style of the example in Section 11. 

Further related work seems to be scarce. We mention here the work 
of Elsas et al. [9, 11] on audit theory, and the work of Bergstra and Mid- 
delburg [5] on computational capital. Both are theoretical approaches that 
apply process theory in the analysis of organizations dealing with money 
streams: the former uses Petri nets, the latter process algebra. In this, they 
focus more on behavioral aspects than we do. 

An immediate issue for future work is the completeness of BTC for 
open terms, and consequently the completeness of BTC with summation. 
We would further like to connect this theory to the formalization of interface 
groups and financial transfer architectures studied in [7]. 
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